Date: Mon, 11 Feb 2019 23:24:17 -0800 From: "Rudy (bulk address)" <crapsh@monkeybrains.net> To: freebsd-ipfw@freebsd.org Subject: Patch to have ipfw0 work properly in jails Message-ID: <ebd26c5a84b465183de8f8066f884136.squirrel@mail.monkeybrains.net> In-Reply-To: <mailman.47.1549886401.19526.freebsd-current@freebsd.org>
index | next in thread | previous in thread | raw e-mail
Never submitted a patch... is this good enough?
Problem: ipfw logs in a way that is confusing in jails (it logs to the
host syslogd)
Solution: use ipfw0 and make sure to fix up syslog and launch tcpdump if
firewall_logif is set in rc.conf
Thanks,
Rudy
--- /etc/rc.d/ipfw.orig 2019-02-11 23:19:09.074313000 -0800
+++ /etc/rc.d/ipfw 2019-02-11 23:17:37.675032000 -0800
@@ -65,8 +65,23 @@
${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
fi
if checkyesno firewall_logif; then
- ifconfig ipfw0 create
- echo 'Firewall logging pseudo-interface (ipfw0) created.'
+ if ! ifconfig ipfw0 > /dev/null 2> /dev/null; then
+ ifconfig ipfw0 create
+ echo 'Firewall logging pseudo-interface (ipfw0) created.'
+ # have tcpdump listen to ipfw and send info to logger
+ /usr/sbin/tcpdump -lnti ipfw0 2> /dev/null | /usr/bin/logger -t www
-p security.info &
+ echo "ipfw0 redirecting to syslog"
+ elif ! killall -0 tcpdump 2> /dev/null; then
+ # no tcpdump running... launch it!
+ /usr/sbin/tcpdump -lnti ipfw0 2> /dev/null | /usr/bin/logger -t www
-p security.info &
+ echo "ipfw0 redirecting to syslog"
+ fi
+ fwverbose=`sysctl -n net.inet.ip.fw.verbose`
+ if [ $fwverbose == 1 ]; then
+ # turn down for what ... I mean, turn off verbose so ipfw0 is used.
+ sysctl net.inet.ip.fw.verbose=0 > /dev/null
+ echo "verbose logging off and redirecting to ipfw0"
+ fi
fi
}
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ebd26c5a84b465183de8f8066f884136.squirrel>